[tptacek]

I don't think this is a particularly productive way to look at things. RSA has been used for a long time, but the vulnerabilities we find in RSA implementations (for instance, the recent Yubikey RSA keygen flaw) tend to be traceable to things we knew a decade, or sometimes two decades, ago. There's very little general evidence of maturity in crypto development, so that you'd assume that a vendor would learn from industry experience in building something. You just have to sort of guess which constructions they'd have an easier time coding safely.